Skip to content

"managed-keys" zone is created even with "dnssec-validation no;"

With the following configuration file:

options {
	dnssec-validation no;
};

named logs the following lines upon startup:

13-May-2022 07:06:05.967 set up managed keys zone for view _default, file 'managed-keys.bind'
13-May-2022 07:06:05.971 managed-keys-zone: loaded serial 0

and indeed creates a zone attached to the _default view which only contains a SOA record.

The same thing happens for dnssec-validation yes;.

This is harmless, but confusing at best, for two reasons:

  1. The managed-keys.bind file is never written to, despite what the log message suggests.

  2. No managed keys are ever refreshed or used.

Introduced by commit 778a01b1, i.e. in BIND 9.7.1.

See also #1961 for more logging confusion related to RFC 5011.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information